Hi! Later in this comment I wrote description of way how to reproduce CVE-2023-34151 in recent imagemagick from Debian Bookworm.
Rouca, plese, let me know, is it enough to start investigating of the problem? Goto page https://app.vagrantup.com/debian (mentioned here https://wiki.debian.org/Teams/Cloud/VagrantBaseBoxes) and find the latest bookworm image. For now it is https://app.vagrantup.com/debian/boxes/bookworm64/versions/12.20240503.1. Create a Vagrantfile. Something like this: # -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure("2") do |config| config.vm.box = "debian/bookworm64" config.vm.box_url = "https://app.vagrantup.com/debian/boxes/bookworm64/versions/12.20240503.1/providers/virtualbox/unknown/vagrant.box"; config.vm.provider "virtualbox" do |v| v.cpus = 4 v.memory = 4096 end end Number of CPUs and memory depends on available resources on the host machine. In my case for some reasons it was impossible for me to download image using vagrant, so I downloaded it by wget: wget https://app.vagrantup.com/debian/boxes/bookworm64/versions/12.20240503.1/providers/virtualbox/unknown/vagrant.box Then added manually: vagrant box add --name="debian/bookworm64 12.20240503.1" vagrant.box And then created Vagrantfile: # -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure("2") do |config| config.vm.box = "debian/bookworm64 12.20240503.1" config.vm.provider "virtualbox" do |v| v.cpus = 4 v.memory = 4096 end end Run VM: vagrant up And login into it: vagrant ssh Update apt cache: sudo apt update Upgrade packages: sudo apt upgrade My upgrade logs you can see here: https://pastila.nl/?0077368d/4cae0de35fb23d588f6396b10a636541#RKclXYVIqKzf+F7DVI+eZw== Reboot VM to be sure all updates are properly applied and activated (new kernel, fox example). And login into VM again. Install build deps for imagemagick: sudo apt build-dep imagemagick My install build deps logs are here: https://pastila.nl/?0003cd4a/6035ab75de7090a94ed980ba416f89e1#blX3XanLb3+nivO4q9rnCg== Download sources of imagemagick: apt-get source imagemagick My logs of sources download are here: https://pastila.nl/?0004c766/e890d59367daa72a9beb1f4098a3cd67#/F40TRjcilEcYaoB7EdO7A== In my case it was 8:6.9.11.60+dfsg-1.6+deb12u1 version of imagemagick. Notice, that is the same version as mentioned is listed on page about CVE-2023-34151 in Debian Bookworm, where it is shown as fixed for this version: https://security-tracker.debian.org/tracker/CVE-2023-34151 Now I will show that it is not fixed properly. Goto into folder with sources (cd imagemagick-6.9.11.60+dfsg) and configure it with sanitizers as described in issue about that CVE in upstrem: https://github.com/ImageMagick/ImageMagick/issues/6341 ./configure CFLAGS='-g -fsanitize=address,undefined,float-cast-overflow -fsanitize-recover=address,undefined,float-cast-overflow' LDFLAGS='-fsanitize=address,undefined,float-cast-overflow -lasan -lubsan' My configure log you can see here: https://pastila.nl/?0002f9fa/82b03b8d0b9dd10ab2c77440b9493792#K9AQSIijCBz587U2FFlnWA== And then make: make -j4 Number of processes depends on number of CPUs in virtual machine (4 in my case). This is my build log: https://pastila.nl/?00057c79/3d9f90769d9006fc957753a33d01a0e0#y5IrEC8oEd6MJ2MOW+ezEQ== Then download file samples.zip mentioned in issue 6341: wget https://github.com/ImageMagick/ImageMagick/files/11497437/samples.zip Install unzip: sudo apt install unzip Unzip the archive: unzip samples.zip Run sample as described in issue 6341 on ImageMagick's github (it was slightly adopted to use shell wrapper created on build): ./magick.sh identify mvg:piechart.mvg As result we getting an error: coders/mvg.c:180:33: runtime error: 5e+26 is outside the range of representable values of type 'long unsigned int' identify: must specify image size `piechart.mvg' @ error/mvg.c/ReadMVGImage/186. It is the same, as described in issue 6341 on ImageMagick's github. This error was also reproduced in upstream version of ImageMagick, see here: https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2063607226 And upstream developers finally fixed it: https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2072595608 The also backported fix into ImageMagick6: https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2108156142 I tried to create a patch suitable for Debian. I had succeed with patch for Debian Buster, see earlier: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070340#15 Unfortunately, I couldn't create such patch for Debian Bookworm. As I remember, there were conflicts when I tried to apply patch for imagemagick in Debian Buster, mentioned earlier, to Debian Bookworm. Help of more qualified people needed. Thanks, Sergei. сб, 22 июн. 2024 г. в 15:39, Bastien Roucariès <ro...@debian.org>: > > Hi, > > Could you post as plain texte the document you put in a google doc and the > image used as attached document ? > > It will help other to reproduce > > Thanks > > rouca
